2011 lecture ia orientation

4/11/2011

Information Security and Risk Management in Context

The Context

Dr. Barbara Endicott-Popovsky

Center for Information Assurance and Cybersecurity (NSA/DHS CAE-R)

CIAC

The Center for Information Assurance and Cybersecurity

at the University of Washington

• Promotes multi-disciplined, regional collaboration

• Produces innovative research

• Provides CNSS-accredited educational programs

• Develops well-prepared information assurance professionals

http://ciac.ischool.washington.edu/

Barbara Endicott-Popovsky, DirectorCenter for Information Assurance and CybersecurityFaculty, Information School and CS UW Institute of Technology TacomaEmail: [email protected] Office: Suite 400 RCBPhone: 206-284-6123 Website: http://faculty.washington.edu/endicott

Barbara Endicott-Popovsky (Pittsburgh, Pennsylvania) is the Director of the Center for Information Assurance and Cybersecurity at the University of Washington, Seattle, WA, USA, with a joint faculty appointment in the Information School and the Computer Science Department at the UW Institute of Technology Tacoma. She previously held executive positions with The Boeing Company, Seattle, WA. Her current research interests into the Unintended Consequences of the Information Age includes impacts of technology on the legal structure include the calibration of low layer network devices, network forensic readiness methodologies, security vulnerabilities in critical infrastructure.

She earned her Ph.D. in computer science at U. Idaho, Moscow, ID, USA, (2007); She has an MS in information systems engineering from Seattle Pacific University, Seattle, WA, USA (1987); and an MBA from the University of Washington, Seattle, WA, USA (1985), and a BA in Liberal Arts from the University of Pittsburgh, Pittsburgh, PA, USA (1967).

Ms. Endicott-Popovsky is a member of the IEEE, a founding member of the NW Regional Computer Forensics Cooperative, Principal Investigator on numerous grants, producer of the televised Unintended Consequences of the Information Age Lecture series. She has served on organizing committees for the Information Security Compliance and Risk Management Institute, the International Workshop on Systematic Approaches to Digital Forensic Engineering and the Recent Advances in Intrusion Detection (RAID) conference and is on the editorial board of a Special Edition of the Journal on Educational Resources in Computing.

NSA/DHS NIETP Program:

“Growing” information security professionals in our universities

UW/West Coast opportunity

Center for Information Assurance and Cybersecurity

CommunityCommunity

SponsorsSponsorsSponsors

Outreach

Academics

Research

• PRCCDC• IRMSCI Institute• Unintended

ConsequencesLecture Series

• Projects• Grants• Publications

• IP• Consulting• Directed

Research

• Classes• Workshops• UW Certificates Outreach

Academics

Research





Research


Academics

Research





Research

• Classes• Workshops• UW Certificates

Research

AgoraPractitioner Community

Community

Research


Community

Research


Community

Center forInformation

Assurance and Cybersecurity

NSA-CAE-R


Multi-Disciplined IA Approach

Goal of System

PolicyPolicy

Security Awareness

Training

Security Awareness

Training

Procedures & PracticesProcedures & Practices MechanismsMechanisms

Secure System

IA Audit Feedback

Business School—ITiSchoolEvans School—Internet CenterLaw School—Shidler Center

Business School—ITiSchoolEvans SchoolLaw SchoolTech Comm-Eng

iSchoolComputer ScienceElect Engr

Business School—ITiSchoolTech Comm-Eng

Academics

As an NSA-designated Center, the CIAC offers certificates, courses workshops in Information Assurance

– UW Certificates• Information Assurance & Cybersecurity http://www.extension.washington.edu/ext/certificates/inf/inf_gen.asp

• IT Security http://www.extension.washington.edu/ext/certificates/iss/iss_gen.asp

• Network Engineering http://www.extension.washington.edu/ext/certificates/dac/dac_crs.asp

– Classes• Information Ethics, Security, and Privacy

– Workshops• ISCRMI• IP3 Seminars • CISSP Bootcamps

Research

The CIAC partners with industry and government:

• Theory, Conceptual Models– Adding the 4th R– Theoretical Framework for Organizational Network Forensic Readiness

• Projects and Grants– PNNL: Next Generation Honeypots

– China/Microsoft: IA Compliance Framework

• Publications– Deception Taxonomy (for honeypots)– Drive-by Downloads

• Directed research, IP, Consulting – WSDOT

– Compliance-Ready Networks


Pacific Northwest National Laboratory As the Center’s research partner, the PNNL expands the capacity and

capabilities of the University of Washington to do classified and sensitive research and provides a foundation for a regional research

center in information assurance.

Deborah Frincke, Initiative Lead for the Information and Infrastructure Integrity Initiative (I4), and Chief Scientist (Cyber Security capability), Computational & Statistical Analytics Division

Nat’l Security Directorate

• Troy Thompson, Research Engineer• Frank Greitzer, Chief Scientist (Cognitive Informatics R & D Area), Computational and Information

Sciences Directorate. • Glenn Fink, Senior Research Scientist, Information and Infrastructure Integrity Initiative (I4),

Computational & Statistical Analytics Division, National Security Directorate


Center Contributors

• Mike Simon: CTO, Creation Logic, Asso Dir. Applied Research CIAC, Pres. Infragard Seattle Chapter

• Kirk Bailey, UW CISO, CISSP, Agora Leader, CISO UW, Security 7 Award

• John Christiansen, Christiansen IT Law< HIPPA, legal and regulatory compliance

• David Dittrich, Sr Security Engineer Researcher, Applied Physics , research on Distributed Denial of Service attack tools

• Ernie Hayden, CISSP, CEH, CISO pioneering CISO positions, previously with the Port of Seattle

• Seth Shapiro, CPCU, ARM, AIS, Are , Enterprise risk management and information security management

• Joe Simpson, IA Consultant , systems engineering and the application of systems engineering to IA.

• Merike Kaeo, Double Shot Security, Internet governance and protocol expertise

Academic ResearchersPractitioner Researchers

Electrical Engineering•Radha Poovendran, Asso. Dir. Research, CIAC, Asso. Prof. Comm. & Networking, Dir. UW Network Security Lab

•Ming-Ting Sun, Prof, EE, Machine learning, video processing

Information School•Barbara Endicott-Popovsky, Dir. Ctr for IA & cybersecurity, Res.Asso. Prof., digital forensics, secure code, enterprise IA

Computer Science and Engineering•Henry M. Levy, Wissner-Slivka Chair, Spyware/Security, OS

•Steve Gribble, Torode Family Endowed Career Dev.Prof CS, Spyware/Security projects, OS

•Tadayoshi Kohno, Asst. Prof. CSE, Security in pervasive computing; electronic voting, wireless security and privacy

UWIT Tacoma•Sam Chung, Asso. Professor, secure code

Mathematics•Neal Koblitz, Prof. Mathematics, Cryptography, theory of numbers, security issues in genus-2 hyperellipticcryptography, co-inventor elliptic curve cryptography

Law•Jane Winn, Charles I. Stone Prof of Law, Electronic commerce law developments in the US, EU, China


Current Center Activities

Funded Projects White Papers

Next Generation HoneypotsAn assessment of using virtualization for network instrumentation, deception and measurement will be incorporated into recommendations for next generation honeypot design.

Secure Coding ProjectRecognizing the need for college-level, secure coding curriculum, the CIAC is piloting a program that will train Puget Sound faculty for two years, reaching over 1200 students. Success will be determined by internal and external evaluation. Once externally evaluated, curriculum modules will be disseminated inside and outside the region.

IA Compliance FrameworkA lack of regulatory controls and subsequent enforcement in China has focused outsourcing discussions on this growing challenge. An IA governance framework, adapted from industry, is proposed as a control to mitigate.

Cyber WarriorDefining recruiting profiles, mentoring and management strategies for the cyber defenders

Virtual World SecurityDefining and developing unique aspects of Virtual World security

Systems Engineering in IADeveloping implementation models for allocating systems engineering goals throughout an organization.

IPSEC InteroperabilityDefining IPSEC terminology, reconciling IETF RFC’s, implementing IPSEC procedures, recommending best practices

Trust along the Supply ChainDefining role of trust and IA in building supply chain relationships


Cyber Warrior:Effectively Defending

Cyberspace

• Motivation– Dearth of cyber defenders– New MOS’s under development– Industry-expressed frustrations:

– Identification and recruiting challenges– Training out-of-the-box thinking– Stress burnout to incident response

• Need for “cockpit” studies

• Preliminary work begun


Welcome to Cybersecurity Islandhttp://www.youtube.com/watch?v=fvYOaf-9n-o


Asset Protection Model

Configuration

Value Protection

Storage

ProcessingTransmission

Integrity

Confidentiality

Availability Tec

hn

olo

gy

Po

licy

, P

ract

ices

Hu

man

Fac

tors

System

Threat Target

Exposure

Action Effect

Type

Specifi-cation

Program

The Asset Cube

The System CubeThe Threat Cube

The Target Cube – [CMISS]

SystemSystemSystemSystem

ConceptsConceptsConceptsConcepts

SM

• Incorporates threat and systems perspective with target [CMISS]

• Establishes standard organizational basis for learning and analysis

• Provides cognitive support as well as a static and dynamic view of the model information


IPSec Interoperabilityfor Boeing-led Working Group

Project Overview: Testing interoperability issues during IPSec VPN configuration on different vendors’ products.

– Begun last year closely analyzing products of different vendors(Sonicwall, Fortigate, StoneSoft).– Identified /compared parameters each vendor uses for hashing, encryption and authentication during IPSec VPN configuration.– Reviewed unique approach for configuring IPSec VPN proposed by ICSA lab– Compared this approach with default method available in each vendors product for configuring IPSec.

Research divided into two phases:• Homogenous Environment:

– Configured and tested IPSec configuration between two same-vendor devices (e.g ., Sonicwall device at both endsof IPsec tunnel).

– Used common method of configuring IPSec Vpn developed by ICSA lab .– Verified that one unique method doesn’t work for all vendors.

• Heterogeneous Environment: – Proposing to configure / test the IPSec VPN tunnel between different vendors' product

(e.g., Sonicwall at one end and Fortigate at other end).– Matrix of options developed and method to configure IPSec VPN tunnel.

– Will begin testing shortly.


Trust along Supply Chain

• Application: Drug trial outsourcing to China

• Microsoft / UW governance model developed

• Collaborations:• Interdisciplinary: Law / medical school • Cross cultural: UW / China • Industry partner: Microsoft

APEA 2010


Securing the Future

Innovative Integration

Key Collaborations

Diverse Disciplines

Emerging Technologies

Organizational & Technical Management

Technical Approaches

Information Assurance Processes

CommunityCommunity

SponsorsSponsorsSponsors

Outreach

Academics

Research





Research


Academics

Research





Research


Academics

Research





Research

• Classes• Workshops• UW Certificates

Research


Community

Research


Community

Research


Community

OutreachThe CIAC sponsors community lectures and workshops.

– The Unintended Consequences of the Information Age Lecture Serieshttp://www.uwtv.org/programs/displayseries.aspx?fid=2121

– Pacific Rim Collegiate Cyber Defense Contest (PRCCDC) http://ciac.ischool.washington.edu/?page_id=234

– The Annual Information Security Compliance and Risk Management Institutehttp://www.engr.washington.edu/epp/infosec/index.html

– NWSec – Tacoma http://students.washington.edu/greyhat/NWSec_at_UWT_Website_v1.5/FEB_15-16_2007_NWSec_at_UWT_Website_v1.5/nwsecPresenters.html

Unintended Consequences of the Information Age

A lecture series exploring controversial issues emerging in our "point and click” world

• Privacy: Reconciling Reality• Privacy vs. Free Speech• Our Infrastucture: Online and Vulnerable?

http://www.uwtv.org/programs/displayseries.aspx?fid=2121

Pacific Rim Collegiate Cyber Defense Contest (PRCCDC)

Information Security Compliance and Risk Management Institute:

Where Information Technology, Law and Risk Management Converge

September 16-17, 2009

University of WashingtonUW Tower AuditoriumSeattle, Washingtonhttp://www.engr.washington.edu/epp/infosec/index.php

CONTEXT: UNINTENDED CONSEQUENCES OF THE INFORMATION AGE

Transition from the Industrial Age to the Information Age is creating massive, upending, untended consequences in spite of our best efforts to think through change. As we contemplate the ICANN transition from management by the US/DOC to independence, we should consider this context.

Context Evolution

Agricultural Age

Industrial Age

Information Age

AttributeAgricultural

AgeIndustrial

AgeInformation

Age

Wealth Land Capital Knowledge

Advancement Conquest Invention Paradigm Shifts

Time Sun/Seasons Factory Whistle

Time Zones

Workplace Farm Capital equipment

Networks

OrganizationStructure

Family Corporation Collaborations

Tools Plow Machines Computers

Problem-solving Self Delegation Integration

Knowledge Generalized Specialized Interdisciplinary

Learning Self-taught Classroom Online

Smashing

Industrial Age

Infrastructure!

And just whom do you think is going to clean up this mess, Noah?

THE PROBLEMCan’t get enough technology

Our Love Affair with the Internet

Shoppers embrace the

online model

POSTED: 0727 GMT (1527

HKT), December 20, 2006

Embracing Internet

Technologies

Baby Boomers Embracing Mobile Technology

US Internet Users Embrace Digital Imaging

Docs Embracing Internet

WORLD INTERNET USAGE AND POPULATION STATISTICS

Internet UsersDec. 31, 2000

Internet UsersLatest Data

Penetration(% Population)

Growth2000-2010

Users %of Table

Internet UsersDec. 31, 2000

4,514,400 110,931,700 10.9 % 2,357.3 % 5.6 % 4,514,400

114,304,000 825,094,396 21.5 % 621.8 % 42.0 % 114,304,000

105,096,093 475,069,448 58.4 % 352.0 % 24.2 % 105,096,093

3,284,800 63,240,946 29.8 % 1,825.3 % 3.2 % 3,284,800

108,096,800 266,224,500 77.4 % 146.3 % 13.5 % 108,096,800

18,068,919 204,689,836 34.5 % 1,032.8 % 10.4 % 18,068,919

7,620,480 21,263,990 61.3 % 179.0 % 1.1 % 7,620,480

360,985,492 1,966,514,816 28.7 % 444.8 % 100.0 % 360,985,492

.

.

.

.

.

..

.

.

.

.

.

.

.

.

.

.

.. .

.

.

.

.

.

.

.

.

.

.

.

RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?

.

.

.

.

.

.

.

. .

.

.

..

...

.

.

.

.

.

.

.

.

.

.

.

.

.

..

.

Species 8472

Courtesy: K. Bailey/E. Hayden, CISOs

Duality in Cyberspace

Benign Malignant

New Opportunities

EfficienciesConvenience New

CrimesPrivacy Loss

ThreatIntrusion

http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/

Electronic voting outlawed in Ireland, Michael Flatley DVDs okay for now by Tim Stevens posted Apr 28th 2009 at 7:23AM

Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,

and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting

network that has cost €51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that

crisis averted Irish politicians can get back to what they do best: blaming each other for wasting €51 million

in taxpayer money.

July 31, 2009, 12:34 pm

Student Fined $675,000 in Downloading Case

By Dave Itzkoff

Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found liable for copyright violations in a trial in Boston.

Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay $675,000 to four record labels for illegally downloading and sharing music, The Associated Press reported.

A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or siblings may have downloaded the songs to his computer. The record labels involved the case have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much as $150,000 per track if it found the infringements were willful. In arguments on Friday, The A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to “send a message” to the music industry by awarding only minimal damages.

http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/

Majority think outsourcing threatens network security Angela Moscaritolo September 29, 2009 A majority of IT security professionals believe that outsourcing technology jobs to offshore locations has a negative impact on network security, according to a survey released Tuesday. In the survey of 350 IT managers and network administrators concerned with computer and network security at their organizations, 69 percent of respondents said they believe outsourcing negatively impacts network security, nine percent said it had a positive impact and 22 said it had no impact.

The survey, conducted this month by Amplitude Research and commissioned by VanDyke Software, a provider of secure file transfer solutions, found that 29 percent of respondents' employers outsource technology jobs to India, China and other locations.

Of those respondents whose companies outsource technology jobs, half said that they believe doing so has had a negative impact on network security.

Sixty-one percent of respondents whose companies outsource technology jobs also said their organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose company does not outsource did. However, the survey noted that organizations that do outsource were “significantly” more likely than those that do not to report intrusions.

“We're not going to say we have any proven cause and effect,” Steve Birnkrant, CEO of Amplitude Research, told SCMagazineUS.com on Tuesday. “Correlation doesn't prove causation, but it's definitely intriguing that the companies that outsource jobs offshore are more likely to report unauthorized intrusions.”

In a separate survey released last December from Lumension Security and the Ponemon Institute, IT security professionals said that outsourcing would be the biggest cybersecurity threat of 2009.

In light if the recession, companies are outsourcing to reduce costs, but the practice opens organizations up to the threat of sensitive or confidential information not being properly protected, and unauthorized parties gaining access to private files, the survey concluded.

In contrast to their overall views about the impact that outsourcing has on network security, Amplitude/VanDyke Software survey respondents were largely positive about the impact of outside security audits. Seventy-two percent of respondents whose companies paid for outside audits said they were worthwhile investments and 54 percent said they resulted in the discovery of significant security problems.

http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/

Connecticut drops felony charges against Julie Amero, four years after her arrest By Rick Green on November 21, 2008 5:16 PM |

The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich, with the state of Connecticut dropping four felony pornography charges.

Amero agreed to plead guilty to a single charge of disorderly conduct, a misdemeanor. Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license.

"Oh honey, it's over. I feel wonderful," Amero, 41, said a few minutes after accepting the deal where she also had to surrender her teaching license. "The Norwich police made a mistake. It was proven. That makes me feel like I'm on top of the world."

In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused

a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."

But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."

New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.

"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.

"For some reason this case caught the media's attention,'' Regan said.

The case also caught the attention of computer security experts from California to Florida, who read about Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious adware, volunteers examined computer records and the hard drive and determined that Amero was not responsible for the pornographic stream on her computer.

The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.

Among other things, the security experts found that the Norwich school system had failed to properly update software that would have blocked the pornography in the first place.

http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html

Growing Threat Spectrum

“If the Internet were a street, I wouldn’t walk it in daytime…”

• 75% of traffic is malicious

• Unprotected computer infected in < 2 minutes

• Organized crime makes more money on the Internet than through drugs

• The ‘take’ from the Internet almost doubled e-commerce

Courtesy: FBI, LE

Interdependence of Critical Infrastructure

We’re overwhelmed!

Society is not keeping up!

A Metaphor…..

The Unintended

Consequences

Security and Trust in VWs

Trouble in Paradise?

Evolution of Internet Threats

Griefers, Phishing, Hackers, oh my!

Set Your “Evil Bit”* to 1Would you have thought of these attacks?

• Facebook “get rich quick” scams• ….. only $1 down – how can you lose?

• Driveby downloads• Would you like Bots with that?

*See RFC3514 –The Security Flag in the IPv4 Header

What is at risk?• Time• Effort

• Repair damage• Deal with consequences• Prevent re-occurrence

• In-game resources• Computing resources

• Bandwidth• CPU• Storage

• Real world resources• Money• Sensitive data• Identity

Do you trust me? Why?

Security and Trust in Virtual Worlds

• Some ways to attempt to maintain trust• eBay ratings• Craigslist community flagging• Second Life Abuse

• How to manage identity in virtual worlds• User agreement• Side channels• Security zones• Verifying avatars

User Agreements

• VW End User License Agreements (EULAs)• Degrees of Protection• Alternatives to the EULA Scheme• General EULA Awareness

• Issues:• Who reads them?• What are they?

Side Channels: Processes Outside of VW

• Provide “trusted path” to exchange info

• Help achieve authentication goals

• Two main types:• Prior to Virtual World interaction• During Virtual World interaction

Security Zones

• Segregated areas within VW• Training/Education• Corporate clients• Highly valued services

• Issues• Cost: Second Life Private Regions (2009) :

» $1,000 purchase» $295/mo maintenance

• Restricted or open

VW Authentication

• SSL-like authentication for the Avatar

• Accreditation handled by 3rd party

• Issues:• How does VW display accreditation flag?• Potential pitfalls?

Don’t trust anyone!

What starts off in VW can have consequences in real world.

http://oddorama.com/2008/02/11/scamming-the-scammers-5-brilliant-419-reverse-scams/

What else?….

Questions?

Where are the cybersecurity professionals?

If government predictions are right, health IT will create 50,000 new jobs in the future. The new jobs will be needed at all levels, from engineers to IT workers. People who have experience in the computer science and informatics fields will be especially attractive to potential employers, but the federal government will put some money toward training employees. Nurses could have the hardest time transitioning from paper to digital, but the training will help to close the informatics gap

50,000 Health IT Jobs ExpectedOctober 28, 2009 - 5:53pm

U.S. Faces Cyber Security Gap Without Training, EducationMarch 24, 2010 By Kenneth Corbin

WASHINGTON -- As discussions about the federal approach to cyber security continue to percolate across the highest levels of government, one of the most important steps policymakers can take is to nourish the education and training of a new crop of security experts, a senior administration official said here at the FOSE government IT show. Working in concert with the government, the private sector has made significant strides in improving software security and ferreting out vulnerabilities in the supply chain, but the flow of cyber security experts graduating from the nation's universities with advanced degrees remains anemic, according to Richard Marshall, the director of global cyber security management at the Department of Homeland Security.

Homeland Security to hire 1,000 cybersecurity expertsBy Michael CooneyOctober 1, 2009 01:42 PM ET

Network World - The Department of Homeland Security wants to hire 1,000 cybersecurity professionals in the next three years, according to agency Secretary Janet Napolitano.The department has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks, she said.

• “OJT” – Primary source

• Certifications – Emergent source• Growing numbers• But which ones?

• Education – Little to nothing• Lack of trained faculty• Little research funding• Few university programs

The Options …

Not scalable!

How do we accelerate preparation of professionals?

THE SOLUTIONGrowing Information Security Professionals: Pedagogical Institute Model

Global Competition

Technologies & Policies

Professional &Social Trends

Experts & Community/ Business Leaders

Potential:StudentsResearchersEducators

Political Environment

Economy

Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products

IdeologyCulture

Pedagogical institute Model

Emerging Job Market

• Certified Information Systems Security Professional (CISSP) SANS/GIAC

• Certified Information Systems Auditor(CISA)

• Certified Intrusion Analyst SANS/GIAC

• Certified Firewall Analyst SANS/GIAC

• Certified Unix Security Admin SANS/GIAC

• Certified Windows Security Admin SANS/GIAC

• Certified Incident Handler SANS/GIAC

• Certified Network Auditor SANS/GIAC

• Certified Security Essentials

Job Titles– Director, Security – Manager, Security– Sr. Security Analyst – Security Administrator– Web Security Manager– Data Warehouse Security

Manager– Network Administrator

Source: Foote Partnershttp://www.footepartners.com/SSCP.htm

Global Competition

Technologies & Policies

Professional &Social Trends

Experts & Community/ Business Leaders

Potential:StudentsResearchersEducators

Political Environment

Economy

Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products

IdeologyCulture

Pedagogical institute Model

Goals

• ISRM Certificate• Efficient preparation for job market• From literacy to problem solving• Communication skills• Academic and Training credentials

• Course 1: Information Security and Risk Management in Context

• Course 2: Building a Risk Management Toolkit• Course 3: Designing and Executing Information

Security Strategies

Content

Module 1

Module 2 Module 3

Module 4

Mod

ule

5

• No BOK for IA/IS• CISO : ISRM as CEO : MBA• Framework

Teachers• Academic:

– Barbara Endicott-Popovsky, PhD, Information School faculty member and Director, UW Center for Information Assurance & Cybersecurity

• Practitioners:– Mike Simon, CTO, Creation Logic, and UW Information School

affiliate faculty member – Seth Shapiro, Senior VP & Risk Strategist, Kibble & Prentice– Ilanko Subramanian, GRM, Trustworthy Computing, Microsoft

• John Stephens, Director, UW Professional & Continuing Education

Teachers (Cont’d.)Guest Lecturers• Kirk Bailey, CISO UW, Agora• John Christiansen, Principal Legal Counsel, Chistiansen IT Law • Aaron Weller, Managing Director, The Concise Group • Bob Clark, PRESENTATION: ISSA• Dennis Opacki Senior Security Consultant, Covestic• Ernie Hayden, Smart Grid Security, Verizon Business• Todd Plesco, CISO, Chapman University• Michael Ness, CEO Ness Group• Brian Haller, CISSP, Associate/FSO, Booz Allen Hamilton• Jim Poland, FSO, University of Washington• Christian Seifert, Honeynet Alliance and Microsoft Corp.• Ivan Orton, King County Senior Deputy Prosecutor• Joe Simpson, Systems Engineer, Systems Concepts • Ryan Heffernan, Security Analyst, Trustworthy Computing, Microsoft Corp.• Neil Koblitz, Professor Mathematics, University of Washington• Mike Howard, Security PM, Microsoft Corporation• George Graves, IA Advisory, KPMG• Peter Gregory, CISA, CISSP Senior Security Analyst, Concur Technologies• Randy Hinrichs, CEO, 2b3d• Ming-Yuh Huang, Technical Fellow, The Boeing Company • Ashish Malviya, MSIM intern PNNL

NOTE: These are your network

RESULTSWell placed graduates

Sample success stories

• Asst. Dep Secy DHS – Mike Roskind• CISO – Todd Plesco• FSO BAH – Brian Haller• Tech Dir NSA – Darren King• IA Entrepreneur – Aaron Weller• IA audit, system and risk analysts• Research scientists

Unintended Consequences of Embracing the Internet…..

2011 lecture ia orientation

Education

Transcript of 2011 lecture ia orientation